Contents

This document provides a sample configuration for Dynamic LAN to LAN VPN between Cisco IOS® Routers that use digital certificates while utilizing the IOS Certificate Authority (CA) feature. This document demonstrates how to configure the IOS CA server along with configuring a Cisco IOS Router in order to obtain an identity certificate via automatic enrollment.

The information in this document is based on these software and hardware versions:

Cisco 2851 Router that runs Cisco IOS Software Release 12.4(6) T

Cisco 871 Router that runs Cisco IOS Software Release 12.3(14)YT1

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

The certificate server also has an automatically generated trustpoint of the same name. The trustpoint stores the certificate of the certificate server. After the router detects that a trustpoint is being used to store the certificate of the certificate server, the trustpoint locks so that it cannot be modified.

Before you configure the certificate server, you can issue the crypto pki trustpoint command in order to manually create and set up this trustpoint.

This allows you to specify an alternative RSA key pair (using the rsakeypair command).

Note: The automatically generated trustpoint and the certificate server certificate are not available for the certificate server device identity. Therefore, any command-line interface (CLI), such as the ip http secure-trustpoint command, that is used to specify the CA trustpoint to obtain certificates and authenticate the connecting certificate of the client must point to an additional trustpoint configured on the certificate server device.

If the server is a root certificate server, it uses the RSA key pairs and several other attributes to generate a self-signed certificate. The associated CA certificate has these key usage extensions:

Digital Signature

Certificate Sign

Certificate Revocation List (CRL) Sign

In this case, the HubIOSCA router is enrolled with a certificate using a different trustpoint in order to be able to establish a VPN tunnel with the spoke router. Define a trustpoint, as shown here (iosca is the name given to this new trustpoint):

HubIOSCA(config)#crypto pki trustpoint iosca

Enter the enrollment URL, as shown here:

HubIOSCA(ca-trustpoint)#enrollment url http://1.1.1.1:80

In this case, a CRL revocation check is not done.

HubIOSCA(ca-trustpoint)#revocation-check none

Issue the crypto ca authenticate iosca command in order to receive the root certificate.

Issue the crypto ca enroll iosca command in order to obtain the identity certificate.

Start certificate enrollment...
Create a challenge password. You need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons, your password is not saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
The subject name in the certificate includes: HubIOSCA.cisco.com
Include the router serial number in the subject name? [yes/no]: no
Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
Certificate request sent to Certificate Authority
The show crypto ca certificate iosca verbose command shows the fingerprint.

Issue the show crypto pki cert command in order to verify that the certificates have been installed.

Sometimes, IPsec negotiation may fail when you use a valid CA certificate for ISAKMP authentication. The VPN tunnel negotiation works with pre-shared keys because the pre-shared keys are really small packets. If the certificate authentication needs to send the entire certificate across, this creates big packets which gets fragmented. Fragmentation prevents the certificate to be properly authenticated between the devices.

Lower the MTU and switch to full-duplex in order to solve this problem. Set the MTU value to a size that does not have to be fragmented: